RdSwQ.exe

First submission 2022-08-02 20:30:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File type:	136.0 KB (139264 bytes)
Compile time:	2022-07-26 15:17:49
MD5:	6862264bbd7688ac4bd96f16786cd153
SHA1:	8fd23a996f8b78914f9969cb3c31be7ffd02e346
SHA256:	701ef63a3a8c4f2eb90d64cd897e0098460e1272a54404b90ab794a685b98ffc
Import Hash :	4f7271df0bf201cf627af3103fba2c2e
Sections 3	.text .data .rsrc
Directories 2	import resource
Virus Total:	38/71 VT report date: 2022-08-02 17:47:23

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://109.206.241.81/htdocs/RdSwQ.exe	109.206.241.81	2022-08-02 20:30:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x1e4c0	126976	20045349b2dd96ffdc02ff418b65033400e4c977	7db9b859c8c74a9df2e24e10ed198fce
.data	0x20000	0xbd4	4096	1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d	620f0b67a91f7f74151bc5be745b7110
.rsrc	0x21000	0x9ec	4096	ce291e0c8941b05388f65f2a30b5b0aa75c09835	739956d4fc24a96de9f42a5a31c4c312

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x214ac	296
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x2147c	48
RT_VERSION	LANG_ENGLISH	SUBLANG_ENGLISH_US	0x21150	812	PE Resource: RT_VERSION - Data ,4VS_VERSION_INFODVarFileInfo$Translation StringFileInfoh040904B04Commentsmisinference8CompanyNamefirebreaksHFileDescriptionindoctrination<LegalCopyrightfireball 12DLegalTrademarksgesneriaceous0ProductNameabacli4FileVersion1.02.00038ProductVersion1.02.00038InternalNamediaglypticHOriginalFilenamediaglyptic.exe

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x214ac

296

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x2147c

RT_VERSION

LANG_ENGLISH

SUBLANG_ENGLISH_US

0x21150

812

Meta infos 11

FileDescription:	indoctrination
OriginalFilename:	diaglyptic.exe
LegalCopyright:	fireball 12
Translation:	0x0409 0x04b0
InternalName:	diaglyptic
Comments:	misinference
LegalTrademarks:	gesneriaceous
FileVersion:	1.02.0003
ProductName:	abacli
ProductVersion:	1.02.0003
CompanyName:	firebreaks

Packers detected 2

Microsoft Visual Basic v5.0
Microsoft Visual Basic v5.0 - v6.0

Strings analysis - File found

Compressed
\CryptoWallets.zip
\Files.zip
Autogen
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Library
KERNEL32.dll
MSVBVM60.DLL
WININET.dll
SHELL32.dll
VBA6.DLL

Strings analysis - Possible URLs found 1

https://api.telegram.org/bot

Import functions

MSVBVM60.DLL 130

Function	Address	Souspicious	Anti Debug
_CIcos	0x401000
_adj_fptan	0x401004
__vbaVarMove	0x401008
__vbaVarVargNofree	0x40100c
__vbaFreeVar	0x401010
__vbaAryMove	0x401014
__vbaLenBstr	0x401018
__vbaStrVarMove	0x40101c
__vbaEnd	0x401020
__vbaFreeVarList	0x401024
_adj_fdiv_m64	0x401028
__vbaFreeObjList	0x40102c
None	0x401030
_adj_fprem1	0x401034
__vbaStrCat	0x401038
__vbaRecDestruct	0x40103c
__vbaSetSystemError	0x401040
__vbaLenBstrB	0x401044
__vbaHresultCheckObj	0x401048
_adj_fdiv_m32	0x40104c
None	0x401050
None	0x401054
__vbaAryDestruct	0x401058
None	0x40105c
__vbaExitProc	0x401060
__vbaForEachCollObj	0x401064
None	0x401068
__vbaOnError	0x40106c
__vbaObjSet	0x401070
_adj_fdiv_m16i	0x401074
__vbaObjSetAddref	0x401078
_adj_fdivr_m16i	0x40107c
_CIsin	0x401080
__vbaErase	0x401084
None	0x401088
None	0x40108c
None	0x401090
None	0x401094
__vbaNextEachCollObj	0x401098
__vbaVarZero	0x40109c
__vbaChkstk	0x4010a0
__vbaFileClose	0x4010a4
EVENT_SINK_AddRef	0x4010a8
__vbaGenerateBoundsError	0x4010ac
__vbaStrCmp	0x4010b0
None	0x4010b4
__vbaAryConstruct2	0x4010b8
__vbaI2I4	0x4010bc
__vbaObjVar	0x4010c0
DllFunctionCall	0x4010c4
__vbaFpUI1	0x4010c8
__vbaLbound	0x4010cc
__vbaRedimPreserve	0x4010d0
_adj_fpatan	0x4010d4
__vbaRedim	0x4010d8
EVENT_SINK_Release	0x4010dc
__vbaNew	0x4010e0
__vbaUI1I2	0x4010e4
_CIsqrt	0x4010e8
EVENT_SINK_QueryInterface	0x4010ec
__vbaStr2Vec	0x4010f0
__vbaUI1I4	0x4010f4
__vbaStrUI1	0x4010f8
__vbaExceptHandler	0x4010fc
__vbaPrintFile	0x401100
__vbaStrToUnicode	0x401104
None	0x401108
None	0x40110c
_adj_fprem	0x401110
_adj_fdivr_m64	0x401114
None	0x401118
None	0x40111c
None	0x401120
__vbaFPException	0x401124
None	0x401128
None	0x40112c
__vbaStrVarVal	0x401130
__vbaUbound	0x401134
__vbaGetOwner3	0x401138
__vbaVarCat	0x40113c
None	0x401140
None	0x401144
None	0x401148
_CIlog	0x40114c
__vbaErrorOverflow	0x401150
__vbaFileOpen	0x401154
__vbaVarLateMemCallLdRf	0x401158
__vbaNew2	0x40115c
__vbaInStr	0x401160
None	0x401164
None	0x401168
__vbaVar2Vec	0x40116c
_adj_fdiv_m32i	0x401170
_adj_fdivr_m32i	0x401174
None	0x401178
__vbaStrCopy	0x40117c
__vbaFreeStrList	0x401180
__vbaDerefAry1	0x401184
_adj_fdivr_m32	0x401188
__vbaPowerR8	0x40118c
_adj_fdiv_r	0x401190
None	0x401194
None	0x401198
None	0x40119c
__vbaAryLock	0x4011a0
__vbaVarAdd	0x4011a4
__vbaLateMemCall	0x4011a8
__vbaStrToAnsi	0x4011ac
__vbaVarDup	0x4011b0
__vbaVarCopy	0x4011b4
None	0x4011b8
__vbaFpI4	0x4011bc
__vbaVarLateMemCallLd	0x4011c0
__vbaLateMemCallLd	0x4011c4
_CIatan	0x4011c8
None	0x4011cc
__vbaAryCopy	0x4011d0
__vbaStrMove	0x4011d4
__vbaCastObj	0x4011d8
__vbaR8IntI4	0x4011dc
__vbaStrVarCopy	0x4011e0
_allmul	0x4011e4
_CItan	0x4011e8
__vbaAryUnlock	0x4011ec
_CIexp	0x4011f0
None	0x4011f4
__vbaI4ErrVar	0x4011f8
__vbaFreeObj	0x4011fc
__vbaFreeStr	0x401200
None	0x401204

Name	Latest seen	MD5
xPBAQ.exe	2022-07-06 18:26:01	c7468437984c0dbc9da355e31bc153e7
jHRLw.exe	2022-07-26 20:58:02	bee47439c4960e2728594ece9ad95ba7
NqHNP.exe	2022-07-27 23:06:02	d7b1362070332023e5163fc54bc9decc
LqAST.exe	2022-07-28 14:26:02	a64c16946bf03bfa2c52aba4dd0b55cc
JaYSN.exe	2022-08-02 20:38:02	a3c20b8c564076ca4e520a99c6cd1764
GsLQA.exe	2022-08-02 20:53:02	97ea1fd26da454e1502d7f4de38a21af